Most people believe that, like a letter, once it is delivered, an email is immutable. However, a new email exploit turns that assumption on its head. Email is the most common method of communication and information exchange.

It is hardly surprising that cyber criminals focus their efforts on this new exploitable avenue. Imagine if a cyber criminal could remotely change, at will, the content that you see in your email. Even worse, what if a benign URL could be swapped with a malicious one, once the email has been delivered to your inbox and without direct access to your PC or email application? Apparently now, it can.

A technique exists that allows attackers to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s inbox. Dubbed “Ropemaker” (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) by a security researcher at Mimecast, an attacker can deploy this technique to remotely alter the content of an email after it has been sent.

The Ropemaker attack’s origin lies at the intersection of email and web technologies, more specifically Cascading Style Sheets (CSS) used with Hypertext Mark-up Language (HTML). These are modern text file systems that are used to achieve font, colour, graphics and hyperlink effects, fundamental to the way information today is presented on the Internet. While the use of CSS and HTML has made email more dynamic and visually attractive than its purely text-based predecessor, it has also revealed that this web technology is open to exploitation.

Ropemaker’s leverage is based on the fact that CSS is stored remotely. It allows an attacker to have remote control over applications and the content of an email. This ability could enable attackers to direct unwitting users to malicious websites or cause other harmful consequences. As emails have already passed through spam and security filters prior to landing in an inbox, this technique could be used to bypass common security controls and fool even the most security-savvy user.

Using Ropemaker, an attacker can change the displayed content in an email. For example, a benign URL that points to a legitimate website could be swapped with a malicious one that redirects the user to a compromised site or to a phishing website in an email already delivered to your inbox. By using CSS to issue commands, simple text could be turned into a malicious URL or edited in the body of an email, all without direct access to the inbox. An attacker also has the opportunity to write a matrix of text in an email and then use the remote CSS to selectively control what is displayed. With this trick, any text can be displayed in the content of the email, including malicious URLs. The key to its success is that the email received by the victim doesn’t display the URL, making it much harder to detect. Ropemaker could be leveraged in ways that are limited only by the creativity of the cyber criminal, which is often unlimited.

When an email is altered post-delivery and a malicious URL added, for example, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site when it is clicked on, because at the time of delivery there would have been no URL to detect. To do so, would require the interpretation of CSS files which is currently beyond the scope of email security systems.

Cyber criminals are always looking for the next email attack technique to use. Short of reverting to plain text emails that don’t incorporate CSS, there is little to currently guard against this type of attack. As always, when dealing with financial transactions and sensitive information, it is crucial to remain hyper-vigilant.

Back to News